[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1-MAILINGLIST] [FW1] (Still having) NAT Problem (and anti -spoofing is ok)
Lorenzo, I'm getting a little late into this, but looking at your original email, it seems that the Nat map you created is half-done. What you describe goes only one way. You probably need to build a second rule for the reverse packets. I.e. Src Dst Svc XSrc Xdst Svc Internal_IP Vendor_IP Any External_IP (Static mode) Original Original Vendor_IP External_IP Any Original Internal_IP Original Make sure you have your route and arp entries. Finally, your rule should look something like that. Src Dst Svc Action Vendor_IP External_IP ??? Accept Let me know how it goes. George -----Original Message----- From: Satana [mailto:[email protected]] Sent: Friday, October 05, 2001 6:16 AM To: [email protected] Subject: Re: [FW-1-MAILINGLIST] [FW1] (Still having) NAT Problem (and anti-spoofing is ok) Hi guys! Lots of you told me to check my anti-spoof settings. Well...that's ok (I even published other machines over Internet using the same way!) I really don't know what to do Thanx again for kind interest Lorenzo ----- Original Message ----- From: "Steven Wu" <[email protected]> To: "Satana" <[email protected]> Cc: <[email protected]> Sent: Thursday, October 04, 2001 10:27 PM Subject: Re: [FW1] (Still having) NAT Problem > It might be related to your fw object anti-spoofing configurations too. Please > check. > > Anyway, I would recommend trying tcpdump or snoop command to sniffer your fw > interface with the target web server and see what translation packet look like and > how the traffic routes. It might tell you the problems. > > Good luck ! > > Steven > > > Satana wrote: > > > Hi everybody and thanx for all your answers.... > > I've checked my FW1 rules & Address Translations and...you got me! something > > was messed up. > > Anyway..... I forgot to say that I obviously did the ARPing (arp -s EXT_IP > > MAC_ADDR pub) and I added the route (route add EXT_IP INT_IP 1), but still > > it isn't working. I've got an error on FW1 logs regarding rule0 (?). I'm > > pretty out of any ideas... > > Thanx again for help and interest > > > > Lorenzo > > > > ----- Original Message ----- > > From: "Chris Arnold" <[email protected]> > > To: "'Brockhoven, Werner '" <[email protected]>; "''Satana' '" > > <[email protected]>; <[email protected]> > > Sent: Thursday, September 27, 2001 5:19 PM > > Subject: RE: [FW1] NAT Problem > > > > > > > > I would stay away from automatic NAT rules personally. Do it manually as > > > there used to be issues with automatic NAT rules and manually gives you a > > > finer level of control as well. > > > > > > Chris > > > > > > -----Original Message----- > > > From: Brockhoven, Werner > > > To: 'Satana'; [email protected] > > > Sent: 9/26/01 2:13 AM > > > Subject: RE: [FW1] NAT Problem > > > > > > Hello Lorenzo, > > > > > > So you are trying to configure static destination nat. > > > > > > It may be easier to let FW-1 configure the nat rule by configuring the > > > NAT tab in the workstation object which represents the internal machine. > > > Because you are using static destination nat you'll have to configure a > > > route on the firewall for the external ip adress and have it point to > > > the internal ip adress of the www server. In your firewall object > > > you'll have to configure antispoofing on the internal interface and add > > > the external ip adress of the www server. Finally you'll want to > > > publish the external ip adress on your gateway via arp so the external > > > router knows where to send the packets. > > > > > > Regards, > > > > > > Werner > > > > > > > > > > > > -----Original Message----- > > > From: Satana [mailto:[email protected]] > > > Sent: Tuesday, September 25, 2001 10:51 AM > > > To: [email protected] > > > Subject: [FW1] NAT Problem > > > > > > > > > Hi everybody > > > I've got tihs problem: I have to publish over www an internal machine > > > (which obviously has an internal IP adress) and I have to make FW1 nat > > > its ip to the external ip adress (that is already routed on the right > > > router & CDN). > > > I've made a rule within the "Adress Translation" which says as original > > > packet : > > > SOURCE : Internal IP > > > DESTINATION : Any > > > SERVICE : Any > > > as translated packet: > > > SOURCE : External IP > > > DESTINATION : Original > > > Service : Original > > > And it's obviously installed on FW1 cluster. > > > There's also a rule in security policy: > > > SOURCE : Any > > > DESTINATION : External IP > > > SERVICE : http > > > ACTION : Accept > > > What I have to do now ? To me it seems all fine, but it doesn't work. > > > Where I'm doing it wrong ? > > > Thanks in advance > > > > > > Lorenzo > > > > > > > > > > > > > > ============================================================================ > > ==== > > > To unsubscribe from this mailing list, please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > > > ============================================================================ > > ==== > > > > > > > ============================================================================ ==== > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ============================================================================ ==== > ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== _____________________________________________________________________ IMPORTANT NOTICES: This message is intended only for the addressee. Please notify the sender by e-mail if you are not the intended recipient. If you are not the intended recipient, you may not copy, disclose, or distribute this message or its contents to any other person and any such actions may be unlawful. Banc of America Securities LLC("BAS") does not accept time sensitive, action-oriented messages or transaction orders, including orders to purchase or sell securities, via e-mail. BAS reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the BAS e-mail system. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|